diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 4f2e2f3..4534d1d 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -29,6 +29,15 @@ BASEDIR=/etc/firewall-sosdg PATH=/usr/sbin:/usr/bin:/sbin:/bin #BASEDIR=`pwd` +# We require at least bash v3 or later at this point given some of the more complex +# operations we do to make the firewall script work. +if (( ${BASH_VERSINFO[0]} <= "2" )); then + echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version" + echo "of bash to something more recent, preferably the latest which is, as of this" + echo "writing, 4.x" + exit 1 +fi + TWEAKS=$BASEDIR/tweaks if [ ! -r $BASEDIR/include/static ] || [ ! -r $BASEDIR/include/functions ]; then @@ -439,6 +448,39 @@ if [ "$ALLOWEDPROTO" ]; then reset_color fi +if [ "$IPV4_INTERCEPT" ]; then + display_c YELLOW "Adding packet interception rules: " N + for i in `grep -v "\#" $IPV4_INTERCEPT`; do + IFS_OLD=${IFS};IFS=\| + INTERCEPTADD=($i) + IFS=${IFS_OLD} + SRCIF=${INTERCEPTADD[0]} + SRCIP=${INTERCEPTADD[1]} + DSTIP=${INTERCEPTADD[2]} + DSTPROTO=${INTERCEPTADD[3]} + DSTPORT=${INTERCEPTADD[4]} + PROXY=${INTERCEPTADD[5]} + if [ "$SRCIF" ]; then + SRCIF="-i ${SRCIF}" + fi + if [ "$SRCIP" ]; then + SRCIP="-s ${SRCIP}" + fi + if [ "$DSTIP" ]; then + DSTIP="-d $DSTIP" + fi + if [ "$PROXY" != "BYPASS" ]; then + FINAL_RULE="-j DNAT --to-destination ${PROXY}" + else + FINAL_RULE="-j ACCEPT" + fi + $IPTABLES -t nat -A PREROUTING ${SRCIF} ${SRCIP} ${DSTIP} -p ${DSTPROTO} --dport ${DSTPORT} \ + ${FINAL_RULE} + display_c DEFAULT "\t${GREEN}${INTERCEPTADD[0]}:${BLUE}${INTERCEPTADD[1]}:${PURPLE}${INTERCEPTADD[2]}->${INTERCEPTADD[3]}:${INTERCEPTADD[4]}${AQUA}:proxy->${BLUE}${INTERCEPTADD[5]} " + done + reset_color +fi + if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then display_c YELLOW "Loading custom NOTRACK rules..." diff --git a/include/static b/include/static index 4e67458..fea50b2 100755 --- a/include/static +++ b/include/static @@ -74,3 +74,13 @@ EXTIP_FIND="$BASEDIR/bin/get_default_ip" # By default, we allow ipv6 critical icmp IPV6_ICMP_CRITICAL=1 + +# IPv4 and IPv6 regex matches to determine if entry is valid. These may need +# to be tweaked over time. At the moment, we use by default the pattern here: +# http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses +IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))" +IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))" +# At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32) +# If anyone wants to write these, feel free to! +IPV4_NETMASK_MATCH="" +IPV6_NETMASK_MATCH="" \ No newline at end of file diff --git a/options.default b/options.default index 6c47963..501b4d9 100755 --- a/options.default +++ b/options.default @@ -109,6 +109,9 @@ TRUSTEDIP="127.0.0.1" # use otherwise. DONTTRACK="127.0.0.1" +# Intercept IPv4 packets for use in a transparent proxy +#IPV4_INTERCEPT=$BASEDIR/conf/ipv4-intercept + # IP range(s) to forward #ROUTING=$BASEDIR/conf/ipv4-routing